While cleaning up the LDT code, I noticed that kprobes code was very boguswith respect to segment handling. Many, many bugs are fixed here. I choseto combine the three separate functions that try to do linear addressconversion into one, nice and working functions. All of the versions hadbugs.

1) Taking an int3 from v8086 mode could cause the kprobes code to read a non-existent LDT.

2) The CS value was not truncated to 16 bit, which could cause an access beyond the bounds of the LDT.

3) The LDT was being read without taking the mm->context semaphore, which means bogus and or non-existent vmalloc()ed pages could be read.

4) 16-bit code segments do not truncate EIP to 16-bit, it is perfectly valid to issue an instruction at 0xffff, and there is no wraparound of EIP in protected mode.5) V8086 mode does truncate EIP to 16-bit.

6) Taking the mm->context semaphore requires interrupts to be enabled.

7) Do not assume the GDT TLS descriptors are flat.

8) Raceful testing of segment access rights without LDT semaphore

9) Segment limit for V8086 code is USER limit.

Kprobes was still broken; it would try to read userspace directly;since I'm already here, might as well fix that too.

-static unsigned long convert_eip_to_linear(struct task_struct *child, struct pt_regs *regs)+/*+ * Get the GDT/LDT descriptor base. When you look for races in this code+ * remember that LDT and other horrors are only used in user space. Must+ * disable pre-emption to reading the GDT, and must take the LDT semaphore+ * for LDT segments. The fast path handles standard kernel and user CS+ * as well as V8086 mode.+ */+unsigned long convert_eip_to_linear_slow(unsigned long eip, unsigned long seg,+ mm_context_t *context, unsigned long *eip_limit) {- unsigned long addr, seg;+ unsigned long base, seg_limit;+ u32 seg_ar;+ struct desc_struct *desc;+ unsigned long flags;